Malicious PDF — malware analysis report

Static analysis result for SHA-256 497cf0f846eb37cd…

MALICIOUS

PDF

33.2 KB Created: 2020-08-06 20:53:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 60077e76063251ce188a7571c4f0659e SHA-1: a777f36ea5a18af5953f297f7054dbc5bef51029 SHA-256: 497cf0f846eb37cd7804ae24c44d554e72d3feb8c3114dcd624cef52640e1af6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1200 Hardware Add-in T1059.001 PowerShell

The PDF contains a heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.cc/pify?keyword=dominoes+quick+starter+ali+baba+and+the+forty+thieves+pdf'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, many hosted on cdn.shopify.com. The document body, though heavily obfuscated, contains the same malicious URL and appears to be a lure for users to click on it, likely leading to further malicious content.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/pify?keyword=dominoes+quick+starter+ali+baba+and+the+forty+thieves+pdf
    • http://files.vegasholidaycondos.com/uploads/1/3/0/7/130775032/4677834.pdf
    • http://files.merakibeeswaxwraps.com/uploads/1/3/0/7/130739027/420664d95b.pdf
    • http://files.scrimsmustangclassicyamahadtrestoration.com/uploads/1/3/0/7/130740249/4780272.pdf
    • https://cdn.shopify.com/s/files/1/0439/4919/5419/files/english_to_japanese_dictionary_free_download.pdf
    • https://cdn.shopify.com/s/files/1/0433/0687/7080/files/fokukivovasogu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3583/6068/files/rirefagazovovumoti.pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/51025654711.pdf
    • https://cdn.shopify.com/s/files/1/0433/9925/0072/files/bebunuru.pdf
    • https://cdn.shopify.com/s/files/1/0432/9570/3204/files/zapunox.pdf
    • https://cdn.shopify.com/s/files/1/0431/6564/7012/files/oh_shit_git.pdf
    • https://cdn.shopify.com/s/files/1/0433/4852/5206/files/pdftk_command_line_linux.pdf
    • https://cdn.shopify.com/s/files/1/0432/3144/5149/files/how_does_an_anion_of_nitrogen_form.pdf
    • https://cdn.shopify.com/s/files/1/0430/4555/2290/files/37554586480.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000426a.bin
abda91b3c6c2f9d336e13a024bd25aabb8295b75e287e63aeb81772e96f04efd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x426A 5884 bytes
font_01_sfnt_off0000565c.bin
cdf58eb66a20f4f7970922bc51e874ccb38b699c4229e4628d309dc472c4d39a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x565C 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.